KMS - Tips To Successfully Add A KMA To A Cluster

Asset ID:	1-71-1019675.1
Update Date:	2011-11-02
Keywords:

Solution Type Technical Instruction Sure

Solution 1019675.1 : KMS - Tips To Successfully Add A KMA To A Cluster

Applies to:

Sun StorageTek Crypto Key Management System - Version: Not Applicable and later [Release: N/A and later ]
All Platforms
Checked for relevance on 10-Feb-2011.

Goal

Tips to successfully add a KMA to a Cluster.

Solution

Steps to Follow
When adding a new KMA to an existing KMS Cluster, first the new KMA has to be defined in the KMS Cluster using the Create command on the KMA List screen while connected to an existing KMA in the Cluster. This will define the new KMA in the Cluster and allow the actual new KMA to join the Cluster.
Values that need to be entered carefully when Quickstarting the new KMA that is to be added/joined to the existing KMS Cluster:

   Joining KMA's Name - must match value defined in existing KMS Cluster for the new KMA
   IP address or hostname of existing KMA in KMS Cluster (i.e. the "target KMA") - needs to be correct so new KMA can find the existing KMS Cluster
   Joining KMA's passphrase - must match value defined in existing KMS Cluster for the new KMA
   Quorum Credentials - must match Quorum Credentials in existing KMS Cluster

Attributes of new KMA that may need checked in existing KMS Cluster:
Failed Login Attempts - When a join of the new KMA fails due to an incorrect KMA passphrase, this value will be incremented.
If this value is equal to or greater than the "Login Attempt Limit" value in the Security Parameters of the KMS Cluster, then the new KMA will be locked out and will not be able to join the KMS Cluster until the KMA's passphrase is reset in the KMS Cluster.

Join KMA to Existing Cluster potential problems:

1. Incorrect KMA Name for joining KMA entered in Quickstart

On KMA already in Cluster should see error audit similar to:
      Operation: Retrieve Root CA Certificate
      Severity: Error
      Condition: Entity is not valid
      Entity ID: Name of joining KMA (as entered in joining KMA's Quickstart, in this case it will be incorrect)
      Message Values:

Check KMA Name defined in KMS Cluster and enter correctly when Quickstarting new KMA again.

2. Incorrect IP address or hostname for target KMA or incorrect network configuration for joining KMA entered in Quickstart

On KMA already in Cluster there will not be any audits indicating the joining KMA was able to contact the target KMA.
Look for the following audit after the point in time when the join was performed:
      Operation: Retrieve Root CA Certificate
      Entity ID: Name of joining KMA (as entered in joining KMA's Quickstart)
This is the first audit created in the Cluster when the joining KMA attempts to join the Cluster, if this audit does not exist (whether it is "Success" or "Error") then the joining KMA was not able to find the Cluster.

Check that IP address or hostname of target KMA is correct and enter correctly when Quickstarting new KMA again.
Also check that network configuration of joining KMA is correct and enter correctly when Quickstarting new KMA again.

3. Incorrect passphrase for joining KMA entered in Quickstart

On KMA already in Cluster should see error audit similar to:
      Operation: Retrieve Entity Certificate
      Severity: Error
      Condition: Invalid Challenge response
      Entity ID: Name of joining KMA
      Message Values:

Verify correct passphrase for new KMA is being entered (if necessary reset passphrase for new KMA in Cluster) and enter correctly when Quickstarting new KMA again.

4. Joining KMA's passphrase entered incorrectly too many times in Quickstart

On KMA already in Cluster should see that new KMA's Failed Login Attempts value is equal to or greater than the Login Attempt Limit in the Cluster's Security Parameters.
On KMA already in Cluster should see error audit similar to:
      Operation: Retrieve Entity Certificate
      Severity: Error
      Condition: Failed login attempts limit exceeded
      Entity ID: Name of joining KMA
      Message Values:

Reset passphrase for new KMA in Cluster and enter passphrase correctly when Quickstarting new KMA again.

5. Incorrect Quorum User Name(s) on insufficient Quorum User Name(s) entered in Quickstart

On KMA already in Cluster should see error audit similar to:
      Operation: Join Cluster
      Severity: Error
      Condition: Invalid input
      Entity ID: Name of joining KMA
      Message Values: KMA ID = x, KMA Name = Name of joining KMA, Management Network Address = x, Service Network Address = x, KMA Version = x, Rejoin = FALSE, Quorum Key Split User Name = x1, Quorum Key Split User Name = x2, ...

Check "Quorum Key Split User Name" values to make sure they match what is defined in the cluster and that a sufficient number of them were provided and entered correctly when Quickstarting a new KMA again.

6. Incorrect Quorum User Passphrase(s) entered in Quickstart

On KMA already in Cluster should see error audit similar to:
      Operation: Join Cluster
      Severity: Error
      Condition: Invalid Quorum passphrase
      Entity ID: Name of joining KMA
      Message Values: KMA ID = x, KMA Name = Name of joining KMA, Management Network Address = x, Service Network Address = x, KMA Version = x, Rejoin = FALSE, Quorum Key Split User Name = x1, Quorum Key Split User Name = x2, ...

Verify correct passphrase(s) for Quorum are being entered and enter correctly when Quickstarting new KMA again.

@ KMS, KMA, Incorrect Quorum User Passphrase, Incorrect Quorum User Name, Joining KMA's passphrase entered incorrectly too many times in Quickstart,Incorrect IP address or hostname for target KMA, Incorrect KMA Name Cluster

Attachments

This solution has no attachment